2013 Security Predictions
Ah, my favorite time of the year – chestnuts roasting on an open fire, a brisk chill in the air and of course…predictions of all that await us in the coming year. Given my amazing historical accuracy (all archived of the blog for your enjoyment), it’s time to once again throw my hat in the ring. This year, being the coffee
addictedloving lad that I am, I’m going to apply a coffee flavored risk rating, to show just how far out on a limb I’m choosing to go with each predication.
- Mild – Going head to head with the dart throwing chimps
- Medium – The stars will need to align, but ‘signs point to yes’
- Bold – I will definitely be saying ‘I told you so’ at this time next year
Begun, the MDM consolidation has... - News spread quickly in December 2012 when Citrix acquired Zenprise, in an effort to beef up their mobile offerings and help enterprises tackle the challenge of BYOD devices. With a magic quadrant so covered in dots that the quadrant itself is barely visible, consider this the starters pistol in what is sure to be a year of fast and furious consolidation in the MDM space. There are simply too many vendors fighting for the same dollars for natural selection not to occur. Combine that with the old guard of the security and networking industries desperate to stay relevant in a mobile future and it's sure to be an interesting year.
Big data goes big time - Perhaps the strongest metric for a security technology reaching the 'peak of inflated expectations' comes every spring at the RSA Conference. A quick perusal of the most common marketing slogans decorating vendor booths reveals which technologies are about to blanket airport billboards the world over. 'Cloud' has held that lofty title for the past couple of years, but get ready for 'big data'. A host of security companies promising to better collect, manage and summarize security data to find the security needles in a haystack are about to take center stage and you can be rest assured that the old guard will quickly repackage existing solutions to join the party.
Detection vs Prevention - I recently attended a talk by Art Coviello, the President and CEO of RSA Security in which he argued that the general budget spent on security solutions promising Prevention/Detection/Response capabilities is approximately an 80%/15%/5% split. I agree and it illustrates that enterprises place far too much emphasis on prevention and the approach simply isn't working. The unfortunate reality for enterprises is that compromised PCs and data breaches are a daily fact of life. Even a budget focused 100% on prevention will not eliminate these issues. Spending too little on detection however, will guarantee that these incidents go unnoticed and small compromises turn into catastrophic losses. Fortunately, thanks to increasing openness regarding compromises (some voluntary, some legal), enterprises will begin shifting their security budget toward detective controls.
Mobile privacy - vendors called to the mat - Malicious mobile apps are like the pretty blonde at the party - even though they lack substance, they get all the attention. When a keystroke logger slips through the cracks and shows up, even for a brief period in the Google Play store, it's front-page news. If however, an app gathers end user personally identifiable information, shares it with third parties and leaks millions of passwords, the media barely blinks an eye. The latter app scenario is however infinitely more common than the first. Truly malicious apps are relatively rare in official app stores such as Google Play and they're extremely rare in Apple's App Store. On the other hand, apps with blatant privacy concerns are extremely common. Thanks to an increasing focus by researchers on privacy concerns and projects such as ZAP, 2013 will be the year that vendors and App Store gatekeepers can no longer ignore privacy issues.
Hacking the 'Internet of things' - We keep hearing about the 'Internet of things' - connected hardware devices to ensure that our digital lifestyle is always online and always accessible, no matter where we are. From thermostats to garage door openers to security systems and appliances, traditional electronics are now Internet connected. The hardware industry unfortunately has a rather abysmal history when it comes to 'baking security in’; so expect this wave of connected hardware to present a vast amount of low hanging fruit for security researchers.
Microsoft finally dances with the devil - Paying for vulnerability information is no longer the moral sin that it once was. Vendors such as Mozilla and Google long ago made it an acceptable practice to reward security researchers for their hard work in uncovering vulnerabilities in their software by offering at least moderate financial rewards. Despite this trend, Microsoft has stubbornly clung to the line that they do not and will not pay for vulnerability information, despite the great benefit they receive when 'responsible disclosure' is followed and Microsoft is provided such information for free. That said, Microsoft has continued to make slow but steady steps forward - Bluehat, security conference sponsorship, financial rewards for the capture of malware authors, etc. As Microsoft realizes the need to ensure security as a differentiator for Windows 8/RT against mobile competitors, expect this to be the year they finally break their own rule.
The privatization of malware - The malware economy continues to become increasingly specialized, with individuals and groups often focusing on a single portion of an overall attack, be it reverse engineering, exploit creation, botnet herding, etc. With the value of a 0day vulnerability in a popular program now well into the six figure range, we're no longer simply talking about low brow criminals dabbling in this world. White-collar researchers are parting with vulnerability information, selling it to a middleman and not asking questions about where it may end up. This trend will continue, but expect new participants to enter the fray, namely nation states. Governments, the US government included, have shown increasing comfort leveraging online attacks to achieve specific goals, such as was the case with Stuxnet, or to enhance traditional physical attacks. Nation states, desperate for top talent to stay ahead, will not confine themselves to only homegrown talent but become increasingly aggressive bidders on the open market. Unlike physical weapons whose R&D costs limit their production to governments willing to spend billions, 0day information thrives in the private market.
See you next year!